Click-Fraud Originating from "Facebook App"

At Oxford Biochronometrics we regularly organize a bothunt, although a better term would be fraudhunt. This means analyzing, scrutinizing, creating anomaly statistics, etc. on raw data in order to spot outliers and irregularities and if you’re lucky find a new type of fraud and win the bothunt medal of honor.

Over time it has become harder and harder to spot fraud, as most low hanging fraud is detected automatically the remaining portions look very clean and human-like. When dealing with large institutions and corporates running massive campaigns and thus having tons of human visitors the remaining fraud -if it even exists- hides well in aggregates. One trick is to start filtering per source or affiliate, because each of them is paid independently and there's always some source or affiliate that feels the need to blend some inferior cheap traffic into the stream of visitors to siphon your spend.

When advertising on Meta Facebook you pay for impressions in the user’s feed or for clicks on your advertisements [1]. Fraud is directly related to how you buy your media. If you pay for clicks (CPC), fraudsters are incentivized to only generate clicks. The same logic applies when buying to leads (CPL / CPA), except in lead generation you have a feedback loop. Following up on the leads gives a good picture of the amount of fraud, eg. if 80% of the callees deny that they have filled out your lead generation form you not just know but also have confirmed you were hit by fraudsters. That’s why buying media in CPL / CPA in combination with 1st class fraud detection (hint: Oxford Biochronometrics ) is the optimal setup: You will know the fraud status prior to making the call, return generated leads with reason: fraud, thus not paying for those thus lowering your marketing costs and mitigating litigation risks.

This time Meta’s Android "Facebook app"

The casus: Small business has fraudulent flagged visitors originating from "Facebook app"

Facebook traffic mostly (>90%) originates from the Facebook app, only a fraction of the traffic comes from desktop. There are multiple Facebook apps. The most common one is the regular Facebook app and the other one using less (mobile) data is the Facebook Lite app.

We'll be looking at traffic originating from the Facebook app which can be recognized by looking at the user agent (UA). Besides the UA many other properties of the browser are recorded which give an overview of who and what is loading your landing page originating from the Facebook app.

Looking at the UA reveals which mobile operating system is used: Android or iOS (marked in yellow). Secondly, the UA shows which browser version (in gray) and also which Facebook app version were used (in red). The UA may be spoofed by the fraudster, but for a JavaScript based fraud detection this is easy to detect and flag. In these two examples the UA belongs to the reported browser and OS. Let’s take a look at two UA examples:

and

The Facebook app appends a string to the useragent marked in red showing which OS and which app version made the request. Android adds FB_IAB/FB4A which translates to FaceBook InAppBrowser / FaceBook for Android. IOS has a similar string FBAN/FBIOS. The added FBAV/xxx.x.x.xx.xxx portion shows the Facebook app version.

FBCLID

Each click from within the Facebook app to an external website gets an FBCLID appended to the URL as a querystring key/value. This FBCLID is the FaceBookCLickID. The value is a per-click unique (Facebook server side) generated hash [2]. Its length is between roughly between 60 and 155 characters and includes hyphens and underscores. The same ID may appear multiple times at your landing page, in such a case the FBCLID is cached and the clicks occurred quickly after another. In this breakdown we’ll be looking at unique FBCLIDs only, as you only pay once per visitor that clicked.

Platform

In this analysis we’ll be looking at Android traffic only. Besides the user agent much more information can be extracted from the browser. For example, the navigator.platform [3]. This resembles the CPU architecture of the device. On Android the most common values are: Linux armv6l, Linux armv7l, Linux armv8l, Linux armv81 and Linux aarch64. These values have to match the phone model, which is marked orange in the Android user agent example above.

HTTP Headers

At each request the browser sends a set of HTTP headers. These headers contain information which which accepted encoding, accepted language, referrer, cache control, character sets, session cookie, user agent, etc. (see: RFC 7231). Although these headers are standardized different browsers render these headers slightly different. This can be fingerprinted and outliers can be spotted [4].

Bothunt fraud details

When looking at the unique clicks in a small businesses' campaigns (eg. travel, hospitality) having an unique fbclid we observe that 61% of the clicks comes from Android. The remaining 39% clicks comes from iOS (iPhone and iPad). A stunning ~95% of the Android clicks is flagged as fraud, and all clicks have the exact same type of fraud. The same behavior is also observed at larger companies and campaigns, though the fraud percentages are lower because their volume is bigger and thus relatively more real humans are attracted to the landing pages. It is easier to get high fraud percentages at low volumes, and small companies have no weapons against this type of fraud.

So, in short how does this fraudulent Facebook traffic look like?

• Traffic originates from the intended and targeted geolocation
• The traffic comes from real physical mobile phones, directly making the request
• The requests are made by an Android webview browser, most recent version: Chrome/123.x.x.x
• User agent contains FB_IAB/FB4A indicating Android Facebook app
• The requests have slightly incorrect HTTP headers
• The same reported platform for each fraudulent visit of this type
• The browser reports a spoofed renderer and not its real renderer

And that, my dear LinkedIn friends, is how this apparent Facebook app originated fraud burns through your ad spend. In this travel agency’s example a few hundred dollars a week. Besides complaining about poor conversion ratios, ie. low amount of bookings, there’s not much else a small business can do.

I'd love to create a 100+ page Adalytics -like report with methodology, many screenshots, show in detail which HTTP headers are not correct and why, how to determine a spoofed renderer, and corroborate evidence from different businesses being affected, etc. But, in contrary to legitimate businesses having to correct their behavior or be punished by the markets; fraudsters will thank me for such a free improvement report, and not even thank me personally nor financially but thank me by improving themselves and making advertisers' lives even more miserable.

Why?

You might be wondering why would this happen? Who benefits from this? Let’s assume you are running a campaign at scale, besides buying traffic directly, you also use affiliates to generate traffic and pay per click. The goal is to see visitors arriving at your landing page, of which a subset buys a car insurance, books a vacation, test drive in a new Renault, or buys your virus scanner, etc. But, as always the majority of clicks don’t convert to a generated lead or sale. Yet, you still have to pay for the clicks unless you know and would have flagged them as fraud, if not: the affiliate wins and the invoice is paid.

Another reason would be when an agency running your campaign, buys cheap traffic in order to artificially boost numbers in order to claim success. Although in 2024 it's common knowledge that bought traffic == bot traffic.

Since when?

Once you know the pattern to look for it becomes easy to search for fraud in historical data. Based on the data collected by Oxford Biochronometrics we could trace back this fraud type back to September 2023. With Oxford Biochronometrics ' limited view of all traffic originating from this apparent Facebook app one might wonder what the true scale of this fraud is.

Now what?

So, you are a small business owner: What can you do? If your site has less than 10,000 visits a month, we don’t charge for our service, we never have. Though, the free service comes without a real-time feedback, which most small businesses don’t need. You typically just want a monthly overview, which can be extracted from our dashboard, and use this data to get a refund or credit traffic for the coming month.

Lastly, if anyone knows a good contact at Meta/ Facebook HMU, because it’s their reputation on the table; I do have many more details and the FBCLIDs which Facebook should be able to track. I’m sure a lot more companies from SME to FSTE 100 are affected and to my understanding this type of fraud is not detected by legacy fraud detection vendors [5].

Sharing, liking and comments are appreciated. Feel free to connect or DM with questions

#facebook #clickfraud #cmo #digitalmarketing #adfraud

[1] https://www.facebook.com/business/help/716180208457684?id=1792465934137726

[2] https://dl.acm.org/doi/pdf/10.1145/3543507.3583311

[3] https://developer.mozilla.org/en-US/docs/Web/API/Navigator/platform

[4] https://www.dhirubhai.net/posts/kouwenhovensander_frauddetection-fingerprinting-activity-7049009901523656705-xrkX

[5] https://www.dhirubhai.net/posts/kouwenhovensander_adfraud-b2c-digitalmarketing-activity-7125112905296957441-O4Wp